i followed your advice two weeks ago but things didn't get better. The ad sso connection got lost some time at night so i had to rejoin every morning for about two weeks. For some reason it worked on two different days, but please don't ask me why.

So i did update my ha cluster last thursday to version 9.502-4 and rejoined ad sso. Since then, the ad sso authentication works like a charme :-)

On the other hand i have an error and i'm not sure if it's related to the updade or if i'm just to blind to see:

If i try to connect to www.pkf.de, the site will always be blocked (blocked categorie Business). I'm quite sure that this external domain worked before. The strange thing is, looking at the web filter live protocol, calling this single domain is always without an valid ad user and therefore blocked. Every other domain from the same browser will be connected with an valid ad-user.

This domain is whitelisted and has an exception for ^https?://([A-Za-z0-9.-]*\.)?pkf\.de/ and ^http?://([A-Za-z0-9.-]*\.)?pkf\.de/ with every single option activated. IPS has been deactivated for testing purposes.

I also have the following error when clicking on the blue exclamation mark on almost every exception rule:

Can't use string ("0") as an ARRAY ref while "strict refs" in use at /wfe/asg/modules/asg_misc.pm line 727.

I don't know if there is an context to the first error, but as far as i can see i have to either rebuild the database (at least in a single device environment) or to do a factory reset with a restore.

Authentication Issues, i synced my webproxy with my DC, joined the UTM to the Domain. today my User is browsing the Internet without problems, tomorrow it doesn't work unless i do an rejoin of the UTM to the domain. this problems occur on several UTMs i manage since the update on 9.501

Maybe one thing i experienced yesterday. After AD SSO was running fine since upgrading to 9.502-4, i have had activited DNSSEC yesterday afternoon. After to two hours i received the following warning mail:

There was an error synchronizing subscribed groups. The Sophos UTM will continue to operate with a locally cached copy of the data but will be unable to update from Directory Services until the issue is resolved.

Error was:

- failed to run samba command on DOMAIN, exiting now

In the protocol view - system events - i found a lot of the following entries:

I had the error "failed to run samba ...." in the past when ad sso authentication got broken. Since i have rebuild my database i am not able to check deeper if there was an similar error context before.

I upgraded to 9.502-4 last night had ran into some issues with not being able to rejoin my UTM to the domain. After deleting the old entry for the firewall and forcing replication, I was able to join my UTM to the domain. Even after forcing replication, it took about 5-10 minutes before I could rejoin the UTM to the domain. However, it created an entry in DNS for each interface in the UTM. Now there were multiple clients having issues browsing the Internet. The issue was caused by the multiple entries. I deleted all the entries except for the one that pointed to the internal IP address for the UTM.

I am in the same boat. I called sophos support multiple times and no one even mentioned rejoining the domain. They did not mention anything from this forum. Things work for a bit then no one can access anything. A reboot of both UTMs in the HA are necessary and this fixes it for a short time most of the time but the issue has been present every day since we ran these updates. I am at the latest update also. 9.502 -4

Very disappointed with our new sophos utms since the update. School is about to start and we will have 10,000 people here all with struggling internet connections because of this update.

Your final step has the effect of causing the UTM to do SSO user authentication with NTLM instead of Kerberos. Did you find that there was no function until you made that change? Note that, depending on the hardware in use, joining can take (what feels like) five to ten minutes.

Yes, it was instantly working when the setting was changed to ip. If not, a browser error message appears: "authentication failed". It comes today as well, when I change it back to hostname. So this problem might not be completeley fixed at Sophos firmware yet?